The new FADP and the cookie banner confusion: what are the latest rules?

The new FADP and the cookie banner confusion: what are the latest rules?

Cookie banners: an everyday phenomenon that divides opinion and raises tempers. One thing’s for sure, however: cookie banners are ubiquitous. Attorney Lucian Hunger and junior associate Alisa Winter from the VISCHER law firm have written this guest post for the Hostpoint blog focusing on cookie banners in the context of the new Swiss Federal Act on Data Protection.

Lucian Hunger Lucian Hunger · Attorney at Law, VISCHER

Nowadays, a banner pops up immediately on almost every website asking us to accept or refuse cookies, or simply to inform us that cookies are being used before we can browse the website.

In the case of Switzerland, this question can be answered by taking a look at the Telecommunications Act (TCA). This states, in Art. 45c TCA, that “processing of data on external equipment by means of transmission using telecommunications techniques is permitted only […] if users are informed about the processing and its purpose and are informed that they may refuse to allow processing.”

Accordingly, in principle, the use of cookies and other technologies in Switzerland does not require consent, as long as the user does not assert their right of refusal or the relevant website uses methods that do not involve personal data. According to Swiss law, it’s sufficient to provide information on processing and the right of refusal. Asking for consent via a cookie banner is not required.

According to Swiss law, cookie banners are not required for Swiss websites.

However, it is also conceivable that information about the processing and its purpose or the right of refusal does not even have to be provided. After all, the obligation set out in the Telecommunications Act only exists in those circumstances in which the following prerequisites are met:

At this juncture, it’s also worth noting the following point: Art. 45c TCA is technology neutral. This means its provisions must be complied with not only when cookies are in use, but are applicable irrespective of whether cookies or other comparable technologies are used. What matters is whether the above conditions are fulfilled or not.

What changes with the new Swiss Federal Act on Data Protection?

In short: with regard to cookie banners, nothing. They are also not required under the new Swiss legislation.

The revised Federal Act on Data Protection (FADP) entering into force on September 1, 2023 sets out a new provision in Art. 7(3) whereby the controller (website operator) must also ensure through pre-defined settings that the processing of the personal data is limited to the minimum required by the purpose, unless the data subject directs otherwise. In some places, this stipulation is interpreted as an obligation to use cookie banners. However, in the view of VISCHER's legal experts, this is not correct: the controller can provide the user with several cookie and data-protection options. If they offer such options to choose from and the cookies contain personal data, then – and only then – must the pre-defined setting provide for the least extensive setting on the basis of the new provision. However, if the website does not offer the option to choose, then logically no pre-defined settings are needed.

The new law therefore changes nothing in this area: from September 2023, there is no obligation for websites aimed at users in Switzerland to have cookie banners. Incidentally, there is also no obligation that a box on a consent banner may not already be pre-checked.

When processing personal data (e.g. using cookies or other technologies), the provisions of the Federal Act on Data Protection, as well as the Telecommunications Act, must be observed. Assessing the lawfulness of data processing and the necessity of consent may also be required in the event that data is disclosed to third parties or abroad, or in the event of particularly extensive tracking.

In a previous Hostpoint blog post, the VISCHER law firm described what to look out for in the new Federal Act on Data Protection. Read the post “The new Data Protection Act will take effect in 2023. What you need to know

What do I need to do now as a website operator?

As we’ve mentioned, a cookie banner is generally not required – neither to obtain consent or inform users about the use of cookies.

If cookies or other technologies are used, processing and the purposes of processing must be referred to in the privacy policy available on the website. In addition, the privacy policy must indicate that users can refuse processing by changing their own browser settings.

A more user-friendly method of refusal can also be integrated into the site if no settings options are provided. Otherwise, these would have to provide the least extensive setting when visiting the website.

Find out more:
In a previous post on the Hostpoint blog, the law firm VISCHER put together some important and helpful tips for drafting a privacy policy for your own website. Read the post “How to write a good privacy policy for your website”.

European law

However, caution is advised. Although cookie banners are not legally required for websites in Switzerland under Swiss law, there’s a (rather considerable) catch:

Swiss companies and website operators may be obliged under European law to use cookie banners and obtain consent. If a website is aimed at EU member states, the ePrivacy Directive or its national implementing legislation may apply. The ePrivacy Directive states that the storage of information or access to information that is already stored on a user’s device is only permitted after clear and informed consent, unless it involves data that is technically required to provide the desired service in the first place. According to EU law, unlike Swiss legislation, prior consent is required to obtain and process information. This consent can be obtained via a cookie banner, for instance.

Like the Swiss Telecommunications Act, the ePrivacy Directive is also technology-neutral and applies irrespective of whether cookies are stored or other technologies (such as what is known as “fingerprinting”) are used to access information on the device. It therefore depends on the precise design of the technology in each case, not on what the technology is called. If a “cookieless” method is used, you should not automatically draw the conclusion that consent is not required. According to the ePrivacy Directive, what matters is whether information is stored on the device or stored information is accessed. In the latter case, the widespread (but not undisputed) view is that it must still be decided whether only information is processed that the browser sends to the server anyway (known as “header information”) or whether further information is actively accessed. According to the ePrivacy Directive, consent is usually not required for processing information that is sent additionally by the browser.

If websites are used to sell products in the EEA, cookie banners are required in certain cases according to the ePrivacy Directive and GDPR.

Now it gets really interesting: if a Swiss company (using its website, for instance) offers goods or services in the European Economic Area (EEA) or tracks the behavior of individuals in the EEA, they may be required to consider the provisions of the European General Data Protection Regulation (GDPR) in addition to the ePrivacy Directive. The GPDR applies not only in the EU, but in the entire EEA (including Liechtenstein, for instance). It is only applicable if a personal reference can be established. In the view of many EEA data protection authorities, however, this already exists if individual users can be specified with the allocation of identification numbers. If technologies are used to track users over multiple visits and then create a profile for marketing purposes, many EEA data protection specialists believe that consent is required as a basis, even if the visitors cannot be identified.

A website operator is therefore well-advised always to check whether the ePrivacy Directive or GDPR are actually applicable in the first instance. If this is the case, consent is generally required by means of a cookie banner when using cookies. With a “cookieless” method, the exact design may require closer examination. To minimize potential risks, it may therefore make sense to obtain consent for the sake of simplicity. Work on the ePrivacy Regulation is currently underway in the EU. This may entail further new developments in future.

About the authors:
This post was written by two legal experts, Lucian Hunger (attorney) and Alisa Winter (junior associate) at the VISCHER law firm, and was contributed as a guest post to the Hostpoint blog.

Visualization of an email inbox in a laptop screen with Cloud Office icon. Visualization of an email inbox in a laptop screen with Cloud Office icon.

An e-mail address with your own domain

Discover the new e-mail packages with Cloud Office from Hostpoint. The domain of your choice for your email addresses, generous mailbox and Drive storage, various Office tools and much more.